Hi there guys, Lately I been having a big problem and one big annoying problem. I everytime I restart my PC and go into IE my google search bar get change for one that is called under tools "This Browse Mess." I can not find a Unistall program for this and can not seem to remove it with Ad-Aware 6.0, I also use CWShredder and it said my system was clean. Then I try Spybot Search & Destroy and I got alot of things celan but so far this darn bar is still here. Everytime I try to put google for a search it remove google and place it self instead. Can anyone guide me in the right direction in removing this annoying search bar?

My OS info are this here.

Windows XP Pro SP2 CR2
IE v6.0

Thanks In Advance!

Post your HiJackThis log.

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Hi there guys, Lately I been having a big problem and one big annoying problem. I everytime I restart my PC and go into IE my google search bar get change for one that is called under tools "This Browse Mess." I can not find a Unistall program for this and can not seem to remove it with Ad-Aware 6.0, I also use CWShredder and it said my system was clean. Then I try Spybot Search & Destroy and I got alot of things celan but so far this darn bar is still here. Everytime I try to put google for a search it remove google and place it self instead. Can anyone guide me in the right direction in removing this annoying search bar?

My OS info are this here.

Windows XP Pro SP2 CR2
IE v6.0

Thanks In Advance!


DJ, this is gonna sound real weird. If it works, I am gonna be a bit unhappy.

Try this:

Turn off MSN Messenger.

then disable it from autostarting.

then reboot.

then see if your IE works.

If anyone wants to know why, look at http://www.mess.be/ and be very VERY careful what you grab\download from there, it has in some of its offerings, MSN Messenger bots for practical jokers amongst its offerings. These bots can be reprogrammed. GEEZE! GAGME!!!!

Anyone know of a good MSN-BOT remover software???

HINT, NO, I did not download anything from there, but I can just SEE bots in skin archives being one heck of a way to hijack a browser!!!

John D.

Logfile of HijackThis v1.97.7
Scan saved at 7:35:25 PM, on 4/15/2004
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\rmctrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\TCAUDIAG.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\DENTDE~1\forholdmode.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DJAngelicon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {371176AB-0812-2E42-CD3A-C985449E7D07} - C:\PROGRA~1\MORE1S~1\locks open.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: This browse mess - {DDBFF02A-530D-FAB0-2BDD-A2B68856CCB8} - C:\PROGRA~1\MORE1S~1\locks open.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TimeBlue] C:\PROGRA~1\DENTDE~1\forholdmode.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: SpeedUpMyPC.lnk = C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ComcastHSI (HKLM)
O9 - Extra button: Support (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Help (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1081495687796
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/install/00010/initial.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38069.9219444444
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/comcast/TrueInstallComcast.exe

Welcome to short-media.

There's some in there that I'd get rid of personally, but they may not be totally malicious.

However, do get rid of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {371176AB-0812-2E42-CD3A-C985449E7D07} - C:\PROGRA~1\MORE1S~1\locks open.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: This browse mess - {DDBFF02A-530D-FAB0-2BDD-A2B68856CCB8} - C:\PROGRA~1\MORE1S~1\locks open.dll
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - Global Startup: SpeedUpMyPC.lnk = C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/install/00010/initial.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

I would read this article (http://www.short-media.com/review.php?r=132) and run the "cocktail" on your system to clean up any remaining junkware.

:)

Thanks Alot Guys! It help and I Got it off. I did everything ya said plus I found a Folder on Program----more1spam--- ( it had a file called "lock open.dll" file on it that can't be deleted under normal windows ) So I when into safe mode and killed it. Now runing Ad-aware 6 and then Norton Anti-virus for the final clean up.

Once again Thanks for ya help!

Besafe Ya,
Angel

I would toast a couple more:



C:\PROGRA~1\DENTDE~1\forholdmode.exe
C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

By the way, Weatherbug = :rarr:

Always installs Spyware / Adware on your system. Do not use it.

Dexter...

Ok did that, I killed all of those and also unistalled Weather Bug off.

Great, next you have to install this on your computer:

http://www.stanford.edu/group/pandegroup/folding/winstructions.html

And join the Short-Media Folding at Home team. Team # is 93, and feel free to use the username Dexter :)

If none of that makes sense, see the links in my signature block :)

Dexter...

Hehe I can see that the Spyware forum is the place to recruit Folding partners!!

Well listen to Dexter DJ ! I did and I am since a much happier and safer computer user!

Peace,

requin